Use Istio to deploy application services across Kubernetes and ECS instances

Starting from v0.2, Istio provides mesh expansion. With this feature, you can integrate non-Kubernetes services that typically run on VMs or bare metal hosts with the Istio service mesh that runs on your Kubernetes cluster.

Alibaba Cloud Container Service for Kubernetes supports the Istio mesh expansion capabilities. This topic uses an example from the Istio official website to details how to use Istio to deploy application services across Kubernetes and ECS instances.

Mesh expansion

Mesh expansion is a method based on the Istio service mesh deployed on Kubernetes. With this method, you can integrate VMs or bare metal hosts into the service mesh.

Mesh expansion is suitable for when you need to migrate your applications from your local system to cloud services. In a microservices system, not all workloads can run in Kubernetes. This means you may encounter scenarios in which you can only operate and maintain some services in Kubernetes, while other services run on VMs or bare metal hosts.

With the Istio control plane, you can manage services across Kubernetes and VMs or bare metal hosts, and ensure that all your services can continue to run normally.

Create a Kubernetes cluster and install Istio

Alibaba Cloud Container Service for Kubernetes 1.11.5 is now available. You can quickly create a Kubernetes cluster through the Container Service console. For more information, see Create a Kubernetes cluster.

In the left-side navigation pane, choose Store > App Catalog, and click ack-istio on the right side.

On the displayed page, select istio-system from the namespace drop-down list, and click Values. You can edit parameters to customize your Istio.

Note The readme document on the page provides the installation and removal information, including common questions about Custom Resource Definition (CRD) versions.

Install the sample application in your Kubernetes cluster

Run the following commands or use the console to create the bookinfo namespace, and then deploy the modified application. In the modified application, the details component is removed and ingressgateway is defined.

Both the
details and the database components of the application deployment run on the ECS instance that is outside the Kubernetes system.

Access the
/productpage page through the address exposed by
ingressgateway and verify that the
details part cannot be displayed.

Configure your Kubernetes

If you have not set internal load balancers for Kube DNS, Pilot, Mixer, and Citadel when you install Istio, you need to run the following command:

kubectl apply -f ./mesh-expansion.yaml

As shown in the following figure, the four services are created.

Generate the cluster.env Istio configuration file and the kubedns DNS configuration file both of which are to be deployed in the VMs. The cluster.env file contains the range of the cluster IP addresses that will be intercepted. The kubedns file contains the cluster service names that can be resolved by the applications on the VMs and then will be intercepted and forwarded by the sidecar.

To generate the configuration files, run the following command:

./setupMeshEx.sh generateClusterEnvAndDnsmasq

Configuration file
cluster.env

Configuration file
kubedns

Set the ECS instance

Configure your working environment to communicate with the ECS instance. Generate an SSH key and assign it to the ECS instance. You can run the ssh root@<ECS_HOST_IP> command to check if you can connect to the ECS instance.

To generate a public key, run the following command:

ssh-keygen -b 4096 -f ~/.ssh/id_rsa -N ""

Note To ensure that the ECS instance and Kubernetes are mutually accessible over the Internet, you need to add them to the same security group.

With Alibaba Cloud Container Service for Kubernetes, you can quickly configure an ECS instance by running the following script:

Register the Details service with Istio

Run the following command to view the IP address of the VM so that you can add it to the service mesh:

hostname -I

Manually configure a selector-less service and endpoints. The selector-less service is used to host services that are not backed by Kubernetes pods. For example, run the following command to register the Details service on a server that has the permissions to modify Kubernetes services and supports istioctl commands:

istioctl -n bookinfo register details 192.168.3.202 http:9080

Access the
/productpage page again to verify that the
details part is displayed as shown in following figure.

Update the Ratings service to the version that can access a database

By default, the Ratings service cannot access any database. Run the following command to update the service version so that the service can access the database:

Access the
/productpage page to verify that the
Ratings part cannot be displayed as shown in the following figure. Then, you need to build a database service on the ECS instance and add the service to Istio.

Run a database service on the ECS instance

On the VM, run MariaDB as the backend for the Ratings service, and set MariaDB to be remotely accessible.

Run the following command to register the database service on a server that has the permissions to modify Kubernetes services and supports istioctl commands:

istioctl-nbookinforegistermysqldb 192.168.3.202 3306

Now Kubernetes pods and other servers included by mesh expansion can access the database service running on this server.

Access the
/productpage page to verify that both the Details and Ratings parts can be displayed and these two services are provided by the ECS instance.

Conclusion

Alibaba Cloud Container Service for Kubernetes provides the Istio mesh expansion capabilities. This topic uses a sample application from the Istio official website to details how to use Istio to deploy application services across Kubernetes and ECS instances.

We recommend that you use Alibaba Cloud Container Service for Kubernetes to quickly build Istio, an open management platform for microservices, and integrate Istio with the microservice development of your project.